Why Deloitte Got Hacked (And 6 Things Your Accounting Firm Can Learn From Their Mistakes)

Cyber News

The hacking of Deloitte proves that even industry giants aren’t immune to cyberattacks. Here you’ll see what it takes to minimise the risk of this happening to you.

In an online world, you can never be too safe. This is especially true today when accounting firms rely on cloud-based systems more than ever before. But however careful you might be, you never know when cybercriminals might catch you by surprise.

Deloitte is a perfect example of this. It’s safe to assume that the firm can afford high-end security measures. And yet, attackers managed to find a hole in their system.

As you can imagine, this didn’t only affect the firm. It works with many blue-chip clients, some of them suffered the consequences as well. Aside from the reputation stain, the attack cost Deloitte a lot.

So how did this happen? Is there anything that you can do to avoid Deloitte’s mistakes? Keep reading to find out.

What do we know?

The first thing that we need to discuss is the reason why the attack happened. Despite strong security measures, Deloitte overlooked a simple way of securing your data.

By now, many people are familiar with the concept of two-factor authentication. It adds another layer of security that doesn’t let someone access an account only through a username and password. This can save you from many hacking strategies, and it could’ve saved Deloitte.

Because of single-factor authentication, the attacker was able to get into the administrator’s account. This gave them access to confidential information in the email server. 

The attack happened in 2016, but it wasn’t until September 2017 that the word got out. It’s possible that the attacker had access to all sorts of information for months. This includes IP addresses, health data, login credentials, and business documents.

While Deloitte claimed that only six of their clients got affected by the breach, the actual number could be much higher.

It’s always better to learn from someone else’s mistakes than your own. Here are the most important lessons you should remember from Deloitte’s example.

1. Never try to hide an attack

What would you do if this attack happened to you? A knee-jerk reaction would be to make sure that the word doesn’t get out. You might fear that this would ruin your credibility and make you lose clients.

However scary this might seem, hiding an attack is never a good option. One way or another, the public will probably hear about it at some point. It’s much better to be open about it and control the narrative.

Failing to do this can only cause even more chaos when people inevitably find out what happened. You might lose the trust of your clients, partners, and other parties whose information you store in your system.

2. Don’t underestimate the scope of an attack

A comprehensive cybersecurity strategy doesn’t end once an attack is over. It’s not uncommon for hackers to remain in your system after it seems like the danger has passed. This is exactly what happened to Deloitte. After the initial attack, hackers managed to remain in their server for possibly months.

Of course, the firm did conduct a thorough analysis once they realised this. But they could’ve done it much sooner if they recognised the threat then.

Make sure to review all your security measures after an attack. Look beyond the initial breach and keep a close eye on your system until you can be certain that you’ve fought off the attackers.

3. A data breach is never just about you

This is closely related to the first point. The main reason why you should never hide what happened is that the attack will likely impact your clients as well. They deserve to know what happened, and you need to make sure that they’re up-to-date with everything.

Deloitte informed six of their clients whom they were certain got impacted by the attack. However, whether there were more clients whose data became compromised is still a mystery.

So how do you approach this? Admitting your mistake to the clients can be daunting. This is why you need to let them know that you have everything under control. They should rest assured knowing that their information is still secure. And if it’s not, it’s crucial that you tell them this as well.

This isn’t an easy conversation to have, but it’s better to own up to your mistakes than to try to conceal them.

4. A proper security system pays for itself in short order

High-end security measures can be quite costly. As data protection is a big task that requires a lot of effort, this is completely justified.

The issue is that some businesses aren’t willing to invest in cybersecurity. They might find the expenses unnecessary. In many cases, this is a result of the ‘it won’t happen to me’ mindset. Except that you never know when it might.

In fact, you might be under attack right now without realising it. The better your security systems, the lower the chances of this happening.

If you believe this is costly, think about how much it would cost you if you fell victim to an attack such as Deloitte’s. While there were no official statements, the attack certainly cost the firm a lot of money. Lucky for them, they’re big enough to not let this severely impact the company’s standing.

But you might not be. It only takes one attack to drive an accounting firm into the ground. For this reason, you shouldn’t wait until it’s too late to invest in cutting-edge security.

5. Have strong passwords

A vast majority of cyberattacks can be easily avoided if you have strong passwords. There are many ways for someone to breach your system in a matter of seconds unless your passwords are sophisticated enough.

While this should be common sense, many businesses still fail to do it. Instead, they use obvious passwords that are quite easy to break through. Worse yet, they rely on a single password rather than two-factor authentication. As you can see here, this is exactly what led to Deloitte getting hacked.

Review all your passwords and see if they’re strong enough. They should include numbers and characters in addition to upper- and lower-case letters. As a general rule, the longer and more complex, the better.

The reason why many people don’t do this is that it might be too hard to remember. If this is the case, you can use a password manager that stores all your passwords so that you can access them easily.

6. Don’t allow unlimited access accounts

Deloitte’s hacking incident wouldn’t have been so serious if the company didn’t have any unlimited access accounts. In this case, the compromised account was an administrator account that had access to more than 5 million emails stored on Deloitte’s server.

While the firm said that only a small portion of the emails got affected, informed sources don’t agree. In their words:

‘The hackers had free rein in the network for a long time and nobody knows the amount of the data taken. A large amount of data was extracted, not the small amount reported. The hacker accessed the entire email database.’

None of this would’ve happened if Deloitte had certain limitations in place. Accounts with unlimited access are the main target of many hackers, as their goal is to get the most out of the one chance they get.

It’s the classic ‘don’t put all your eggs in one basket’ situation. Split your data into different accounts, and hold everyone accountable for protecting theirs.

Prevention is better than cure

Deloitte suffered many negative consequences of the attack. While it might not have severely hurt their finances, it definitely made them lose clients’ trust. Some of them even went to the extent of filing class action lawsuits against them. 

To this day, there’s no way to understand the full scope of the attack. This only makes things worse, as the clients can’t really know if their data is secure. Considering Deloitte’s client base, the value of this data is astronomical.

Even if you don’t have as many high-end clients, you still need to be transparent about everything. Explain what happened, guarantee that you’ll do everything in your power to protect your clients, and then do it.

Again, investing in strong security measures can pay off multifold. It can save you millions of dollars, so keep this in mind while choosing the right system. Deloitte didn’t, and you wouldn’t want to find yourself in their shoes.

If you take cybersecurity seriously, make sure to turn to an expert for help. They should be able to provide you with the latest available measures that can bring the risk of an attack down to a minimum.

If you need guidance, we’re here to help. Click here to book a Cyber Security Consultation, and we’ll show you what it takes to protect your business.

 
Read more

Staff Cyber Security Awareness Training During Tax Season: Essential Actions for Accountants

Explore actionable cyber security awareness training tips for accountants during tax season. Discover how Practice Protect, America's leading cyber security platform for accounting professionals, fortifies your firm against cyber threats. Read more

FTC Safeguards Rule Compliance – A complete guide for Accountants

The FTC safeguards rule has captured a lot of attention in recent years among the Accounting, Bookkeeping and Tax preparer community. With its complexities and implications, this regulation has left many practitioners pondering what it truly means for their practices and whether proactive steps are required. Working with over 24,000+ accountants, we have first hand […] Read more

PTIN Renewal 2023 – A Quick & Simple guide for accountants

Are you a tax professional preparing for your PTIN renewal in 2023? Renewing your Preparer Tax Identification Number (PTIN) is crucial, but that’s not the only aspect to consider. The IRS has introduced new guidelines, including IRS 4557, emphasizing the importance of data security for tax preparers in the United States. In this quick and […] Read more